Today, I got a message from one of my friends on Facebook that was essentially a link to a zip file. Without thinking much, I messaged him back asking him to check his computer for infections and whatnot, since it seems like he’s spreading malicious software without even knowing it.

However, I downloaded the file and was curious about its contents. The zip file contained just one JAR, which I disassembled with the Java Decompiler. The archive contained only one class, which looked like this :

Obviously, code like this will not make much sense to anybody, and it’s obvious that it was processed by some kind of an obfuscator. The presence of a HttpURLConnection object is already a red flag, though : after removing all the potentially malicious calls, and placing prints for the strings that are de-obfuscated at runtime, I got the following :

I have to say that the obfuscator did a pretty good on scrambling these. From what I can gather, the JAR is responsible for calling regsvr32 on the DVUXW.CFG file, and download it from a Dropbox account if it’s not present on the system yet. The file itself is actually a DLL. I downloaded it and tried to dissect it on my Windows XP virtual machine, but I did not get far : it is quite big. However, it imports the most important functions from the Windows Cryptography API, as well as WriteFile. However, I was not able to see any communication attempts or socket creation inside the code, which means that this is probably not a piece of ransomware like CryptoLocker. It seems like the binary can be identified by the strings fuckoffnabs1 and myNameIsPepe present inside it. I also submitted the binary to Malwr for analysis.

4 odpowiedzi na „Worms distributed via Facebook : a case study”

Damn i have it also, i recieved it via facebook from a programmer, so i opened it. I allready deleted dxuxw.cfg. I already noticed that some program called AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + some more A is autostarting with windows, You can see it in msconfig. We`ll see what`ll happend, i`ll monitor cpu, ram, and web connections.

It started few proceses called explorer.exe *32, one of them was always using one thread full time while connected to internet. Some files were also located in c:\users\*\Appdata\Microsoft\Windows\Temp. Few also in registry. ComboFix fixed almost everything- AAAAAAAAAAAAAAAAAAA(*) proces was in msconfig on startup. I disabeled it and everything works fine for now.

Unfortunately, I have no idea. However, I doubt if these jar/dll files are actually responsible for spreading themselves : the only thing the JAR does is download the DLL, and I haven’t seen any WinSock calls in the DLL, which would obviously be needed in order to post anything to Facebook. I can only speculate, but I guess that these messages are the job of a FB application, or a malicious plugin installed inside the browser.